From: "Peter Marshall" <peter.marshall@caris.com>
To: "Piszcz, Justin Michael" <justin.piszcz@mitretek.org>,
netfilter <netfilter@lists.netfilter.org>
Subject: Re: traceroute
Date: Wed, 30 Jun 2004 11:25:27 -0300 [thread overview]
Message-ID: <12ad01c45eae$16ec93a0$49caa8c0@caris.priv> (raw)
In-Reply-To: 2E314DE03538984BA5634F12115B3A4E62E800@email1.mitretek.org
I don't get anything (except the name lookup) from traceroute.
When I run a packet sniffer, I see the following (when doing a traceroute on
www.google.com)
source destination Proto
me 216.239.41.99 UDP sourceport 1059
destination port 33435
3com 3com ARP who has <gatewayip>
tell <my ip>
3com 3com ARP <gateway ip> is at
<mac address>
me 216.239.41.99 UDP soutceport: 1059
Destination port 33437
......
traceroute to www.google.akadns.net (216.239.39.147), 30 hops max, 38 byte
packets
1 * * *
2 * * *
Below are the relavant rules .... tracert is the ip of the box I am trying
to traceroute form.
The Ip of that box is an internet routable ip addess.
$IPT -A FORWARD -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -s <tracert box> -o eth1 -j rh-net
$IPT -A FORWARD -d <tracert box -i eth1 -j net-rh
$IPT -A rh-net -s <tracert box> -j ACCEPT
$IPT -A net-rh -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT
Thank you again,
Peter.
----- Original Message -----
From: "Piszcz, Justin Michael" <justin.piszcz@mitretek.org>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Wednesday, June 30, 2004 10:47 AM
Subject: RE: traceroute
Can you show me your firewall?
Can you paste the blocks you are seeing?
It does not get past the 1st hop, or?
Post an example traceroute?
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Wednesday, June 30, 2004 9:29 AM
To: netfilter
Subject: Re: traceroute
On Wednesday 30 June 2004 2:05 pm, Peter Marshall wrote:
> Hi. I was wondering what I would need for rules to have traceroute
work
> through my firewall. (I have a box behind the firewall trying to get
out
> using traceroute).
>
> I have an allow established connections on my forwared chain, and I am
> allowing anything from the source IP of the box in question to leave
... It
> appears that the problem is on the packets comming back in .. but I am
not
> sure what I have to do to fix it ....
Allow RELATED packets as well as ESTABLISHED.
Regards,
Antony.
--
"It is easy to be blinded to the essential uselessness of them by the
sense of
achievement you get from getting them to work at all. In other words -
and
this is the rock solid principle on which the whole of the Corporation's
Galaxy-wide success is founded - their fundamental design flaws are
completely hidden by their superficial design flaws."
- Douglas Noel Adams
Please reply to the
list;
please don't
CC me.
next prev parent reply other threads:[~2004-06-30 14:25 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-30 13:47 traceroute Piszcz, Justin Michael
2004-06-30 14:25 ` Peter Marshall [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-07-01 9:52 traceroute Piszcz, Justin Michael
2004-07-01 12:25 ` traceroute Cedric Blancher
2004-06-30 18:20 traceroute Piszcz, Justin Michael
2004-06-30 20:55 ` traceroute Cedric Blancher
2004-07-01 8:19 ` traceroute Jozsef Kadlecsik
2004-06-30 16:28 traceroute Piszcz, Justin Michael
2004-06-30 16:47 ` traceroute Antony Stone
2004-06-30 16:10 traceroute Piszcz, Justin Michael
2004-06-30 16:21 ` traceroute Antony Stone
2004-06-30 16:25 ` traceroute Peter Marshall
2004-06-30 17:00 ` traceroute Antony Stone
2004-06-30 15:21 traceroute Piszcz, Justin Michael
2004-06-30 18:17 ` traceroute Jozsef Kadlecsik
2004-06-30 20:51 ` traceroute Cedric Blancher
2004-06-30 15:10 traceroute Piszcz, Justin Michael
2004-06-30 15:19 ` traceroute Jozsef Kadlecsik
2004-06-30 15:33 ` traceroute Antony Stone
2004-06-30 14:52 traceroute Piszcz, Justin Michael
2004-06-30 14:36 traceroute Piszcz, Justin Michael
2004-06-30 14:34 traceroute Piszcz, Justin Michael
2004-06-30 14:50 ` traceroute Peter Marshall
2004-06-30 14:57 ` traceroute Antony Stone
2004-06-30 13:33 traceroute Piszcz, Justin Michael
2004-06-30 13:05 traceroute Peter Marshall
2004-06-30 13:29 ` traceroute Antony Stone
2004-06-30 21:47 ` traceroute Florian Boelstler
2004-06-30 21:52 ` traceroute Antony Stone
2004-06-30 22:36 ` traceroute Florian Boelstler
2004-06-30 22:39 ` traceroute Antony Stone
2004-06-30 23:06 ` traceroute Florian Boelstler
2004-07-01 9:21 ` traceroute Jozsef Kadlecsik
2004-07-01 9:30 ` traceroute Antony Stone
2004-07-01 10:27 ` traceroute Jozsef Kadlecsik
2004-07-01 12:15 ` traceroute Cedric Blancher
2004-07-01 0:16 ` traceroute Cedric Blancher
2004-06-30 14:04 ` traceroute Ruprecht Helms
2004-06-13 13:55 traceroute Prash
2004-06-13 14:53 ` traceroute Cedric Blancher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='12ad01c45eae$16ec93a0$49caa8c0@caris.priv' \
--to=peter.marshall@caris.com \
--cc=justin.piszcz@mitretek.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.